The function password_verify() in the new PHP password API checks if the password corresponds to the hash. The hash is generated by password_hash(), that by default uses a random salt and a cost = 10
.
I always thought (although I never studied it) that you have to store the salt inside the database and then when you want to verify the password, hash it with the given salt using the same cost. How can password_verify()
check the password without knowing salt and cost?
The password_verify() function is used to match the hash password with the original password. Another function, password_hash() is used to generate the hash value based on the hashing algorithm, cost, and salt value. The password_verify() function contains all hashing information to verify the hash with the password.
The password_verify() function can verify that given hash matches the given password. Note that the password_hash() function can return the algorithm, cost, and salt as part of a returned hash. Therefore, all information that needs to verify a hash that includes in it.
To verify the hashed password: PHP provides an inbuilt function called password_verify to match the hashed password to the original passwords. Parameters: $password: The password that we have hashed using a hashing algorithm. $hash: The hashed password that we are going to verify with the original password.
You first hash the password by doing this: $hashed_password = password_hash($password, PASSWORD_DEFAULT); Then see the output: var_dump($hashed_password);
The string returned by password_hash()
contains not only the hash, but also the algorithm, cost and salt.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With